Skip to content

Upgrade glob to v11 to fix minimatch ReDoS vulnerability#1936

Merged
azu merged 3 commits intomasterfrom
copilot/fix-glob-dependency-issue
Feb 21, 2026
Merged

Upgrade glob to v11 to fix minimatch ReDoS vulnerability#1936
azu merged 3 commits intomasterfrom
copilot/fix-glob-dependency-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 21, 2026
edited
Loading

glob v10 depends on minimatch v9, which has a ReDoS vulnerability (CVE-2026-26996, GHSA-3ppc-4f35-3m26). Patterns with many consecutive asterisks followed by non-matching literals cause exponential backtracking.

Changes

  • Upgrade glob: ^10.5.0^11.1.0 in packages/textlint/package.json
    • Pulls in minimatch v10.2.1 (patched version)
  • Remove @types/glob: glob v11 ships with built-in TypeScript definitions
Original prompt

This section details on the original issue you should resolve

<issue_title>Vulnerable Dependency: glob (due to minimatch)</issue_title>
<issue_description>Howdy, thanks for supporting/maintaining textlint!

glob v10 depends on a minimatch version that has a CVE: GHSA-3ppc-4f35-3m26

It looks like glob v11 uses a newer version of minimatch that is not affected, and still supports back to node 20 which would align with the current supported version specified in textlint.</issue_description>

<agent_instructions>fix glob dependencies and check audit</agent_instructions>

Comments on the Issue (you are @copilot in this section)

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Copilot AI assigned Copilot and azu Feb 21, 2026
@azu
Update glob to v11.1.0 to fix minimatch vulnerability
6c69319 
Co-authored-by: azu <19714+azu@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix vulnerable dependency in glob due to minimatch Upgrade glob to v11 to fix minimatch ReDoS vulnerability Feb 21, 2026
Copilot AI requested a review from azu February 21, 2026 01:26
@azu azu marked this pull request as ready for review February 21, 2026 01:46
Copilot AI review requested due to automatic review settings February 21, 2026 01:46
Copilot AI reviewed Feb 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the glob package from v10.5.0 to v11.1.0 to address a ReDoS (Regular Expression Denial of Service) vulnerability in the minimatch dependency (GHSA-3ppc-4f35-3m26). The vulnerable minimatch v9 used by glob v10 has been replaced with the patched minimatch v10.2.1 that comes with glob v11. Additionally, the @types/glob package has been removed since glob v11 ships with built-in TypeScript definitions.

Changes:

  • Updated glob dependency from ^10.5.0 to ^11.1.0 in packages/textlint/package.json
  • Removed @types/glob devDependency as it's no longer needed
  • Updated pnpm-lock.yaml to reflect the new glob version and its dependencies, including minimatch v10.2.1

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
packages/textlint/package.json Updated glob to ^11.1.0 and removed @types/glob from devDependencies
pnpm-lock.yaml Updated lock file with glob v11.1.0, minimatch v10.2.1, and removed obsolete type definitions
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@azu
Update packages/textlint/package.json
72333f0 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
azu
azu approved these changes Feb 21, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@azu azu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@azu azu enabled auto-merge (squash) February 21, 2026 02:13
@azu azu merged commit 59369f8 into master Feb 21, 2026
23 checks passed
@azu azu deleted the copilot/fix-glob-dependency-issue branch February 21, 2026 02:17
@github-actions github-actions bot mentioned this pull request Feb 21, 2026
Merged
azu added a commit that referenced this pull request Feb 21, 2026
@github-actions @azu
v15.5.2 (#1937)
7320c69 
<!-- Release notes generated using configuration in .github/release.yml
at master -->

## What's Changed
### CI
* chore(deps): update github/codeql-action action to v3.31.10 by
@renovate[bot] in #1902
* chore(deps): update rossjrw/pr-preview-action action to v1.8.1 by
@renovate[bot] in #1907
* chore(deps): update github/codeql-action action to v3.31.11 by
@renovate[bot] in #1911
* chore(deps): update github/codeql-action action to v3.32.0 by
@renovate[bot] in #1913
* fix(website): use github-actions[bot] as deploy committer by @azu in
#1918
* chore(deps): update github/codeql-action action to v3.32.1 by
@renovate[bot] in #1919
* chore(deps): update github/codeql-action action to v3.32.2 by
@renovate[bot] in #1924
* chore(deps): update github/codeql-action action to v3.32.3 by
@renovate[bot] in #1933
### Dependency Updates
* chore(deps): update pnpm to v10.28.1 by @renovate[bot] in
#1903
* chore(deps): update eslint to ^8.53.1 (patch) by @renovate[bot] in
#1904
* fix(deps): update dependency @modelcontextprotocol/sdk to ^1.25.3 by
@renovate[bot] in #1905
* fix(deps): update dependency lodash to ^4.17.23 by @renovate[bot] in
#1906
* chore(deps): update pnpm to v10.28.2 by @renovate[bot] in
#1908
* chore(deps): update eslint to ^8.54.0 (minor) by @renovate[bot] in
#1909
* fix(deps): update react monorepo to ^19.2.4 (patch) by @renovate[bot]
in #1910
* fix(deps): update babel monorepo to ^7.29.0 (minor) by @renovate[bot]
in #1912
* chore(deps): update dependency @types/node to ^24.10.10 by
@renovate[bot] in #1914
* fix(deps): update dependency @modelcontextprotocol/sdk to ^1.26.0 by
@renovate[bot] in #1915
* chore(deps): update dependency @types/react to ^18.3.28 by
@renovate[bot] in #1916
* chore(deps): update dependency @types/node to ^24.10.11 by
@renovate[bot] in #1917
* chore(deps): update pnpm to v10.29.1 by @renovate[bot] in
#1920
* chore(deps): update dependency @types/node to ^24.10.12 by
@renovate[bot] in #1921
* chore(deps): update pnpm to v10.29.2 by @renovate[bot] in
#1922
* chore(deps): update eslint to ^8.55.0 (minor) by @renovate[bot] in
#1923
* chore(deps): update dependency lerna to ^9.0.4 by @renovate[bot] in
#1926
* chore(deps): update dependency @types/node to ^24.10.13 by
@renovate[bot] in #1925
* chore(deps): update pnpm to v10.29.3 by @renovate[bot] in
#1929
* chore(deps): update dependency ajv to ^8.18.0 by @renovate[bot] in
#1930
* chore(deps): update dependency rimraf to ^6.1.3 by @renovate[bot] in
#1931
* chore(deps): update eslint to ^8.56.0 (minor) by @renovate[bot] in
#1932
* chore(deps): update pnpm to v10.30.0 by @renovate[bot] in
#1935
### Other Changes
* Upgrade glob to v11 to fix minimatch ReDoS vulnerability by @Copilot
in #1936


**Full Changelog**:
v15.5.1...v15.5.2

Co-authored-by: azu <azu@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@azu azu azu approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@azu azu

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Vulnerable Dependency: glob (due to minimatch)

3 participants

@azu